on 06-21-2013 7:42 PM
The GRC Tool is tracking only a portion of your segregation of duties (SoD) and transaction risks if you have
not added your custom transactions to the SAP rule set. The rule set tracks risks created by conflicts between two transactions and risks created by the transaction itself.
SAP GRC functionality comes with a default rule set that contains segregation of duties (SoD) transactions and critical action
transactions. However, this SAP GRC rule set includes only transactions created by SAP, not the custom transactions created by the company that is using the SAP system.
Most of the companies ignore the custom programs and table in the system thinking they are usually reports. This is far from the truth.
Presence of such codes (such as Z codes, Z objects and Z tables) may create significant additional SoD exposure in the SAP HR and
payroll system over what is presented in this report. For example, a sampling of Z codes revealed that many of the custom transaction descriptions are false. Most descriptions indicated "display" only capability when in fact many custom transactions actually had the capability to "change"
and/or "create" within the SAP system
Process for mapping the custom transaction to SAP GRC Rule set:
Once you identified the functionality then you can create a new Function if you do not have the function in the rule set or add
the custom transaction to existing rule set.
True, This has been the practise since Virsa as well.
Ztcodes called as coupled tcodes. which will not be part of any ruleset. you have to identify functionalities and map to existing or create a new risk.
every company build transaction based on thier requirement they may not need standard tcodes.
some company goes with cuztomize rule set they dont need sap standard ruleset , during those time work with devloper business leads and internal auitor to build ruleset.
Regards,
Prasant K Paichha
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prasant,
I understand adding Ztcodes and custom objects to the SAP GRC Ruleset. Is there any existing practice for adding SAP Business Workflow work items to the SAP GRC Ruleset. For example, you would identify functionalities of a Workflow work item and map to existing or create a new risk.
Are there any existing practices, white papers, conversations, blogs for GRC SoD control, monitoring, and mitigation of Workflow work items? For example, a Workflow work item for Approving Funds could be analyzed and possibly mapped to an existing or create a new risk.
Thank you very much,
Sheldon Oxenberg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.